{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

('Dawn Song', 'Midterm 1', '(solution)') Spring 2012

# ('Dawn Song', 'Midterm 1', '(solution)') Spring 2012 - Dawn...

This preview shows pages 1–5. Sign up to view the full content.

Dawn Song Spring 2012 CS 161 Computer Security Midterm Your Full Name: Your Berkeley Email: This is a closed-book midterm. You may not consult any lecture or written notes, cheatsheets, textbooks, etc. Calculators and computers are not permit- ted. Please write your answers in the spaces provided in the test. We will not grade anything on the back of an exam page unless we are clearly told on the front of the page to look there. You have 80 minutes. There are 6 questions, of varying credit (62 points total). The questions are of varying difficulty, so avoid spending too long on any one question. Do not turn this page until your instructor tells you to do so. Question Points Total Problem 1 6 Problem 2 10 Problem 3 9 Problem 4 8 Problem 5 10 Problem 6 18 Total 61

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
1. (6 points) Control Hijacking Indicate whether the statement is always valid. Indicate true or false, and give a one sentence explanation. Answer: +1 point for correct true false statement. +1 point for correct explanation. (a) (2 points) A stack canary prevents control hijacking from occurring. True. Reason: False. Reason: Answer: False. Canaries protect against stack based at- tacks by detecting when the return address is modified. This prevent buffer overflows, but does not prevent other exploits like exception handlers, pointer overwriting/sub- terfuge, heap exploits, etc. (b) (2 points) Consider the following program: typedef void (*type_fp)(void); void happy_function() { // something } int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; } Assume that you control the input to the function a (). You can make the program behave incorrectly and jump to any arbitrary address. True. Reason: False. Reason: Answer: False. In this scenario, a maximum of 2 bytes of the function pointer can be overwritten (size 16 buffer on stack, Page 2
with size 18 parameter to strncpy). In order to jump to any arbitrary address, 4 bytes of address space are required to be overwritten. (c) (2 points) Return oriented programming (arc-injection) is a viable technique to use to defeat stack canaries. True. Reason: False. Reason: Answer: False. The canary is stored on the stack at a lower memory address than the return address. Meaning, when the buffer is overflowed to change the return address for an arc injection attack, the canary will also be over-written, causing the data injection to fail. Arc injection in general, only defeats non-executable stack protection. Page 3

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
2. (10 points) Symbolic Execution Consider the following program: 1 void caller (int a, int b) { 2 int ptr; 3 4 if (b > 0) { 5 ptr = getbuf(a,b); 6 if (ptr != NULL) 7 ptr[0] = 0; 8 } 9 } 10 11 int getbuf (int x, int y) { 12 13 / initialize all elements to zero / 14 int buf[20] = { 0 } ; 15 int z; 16 17 if (x > y) 18 return NULL; 19 if (x < 0) 20 z = x; 21 else 22 z = x; 23 if (z < 20) 24 buf[z] = y; 25 return buf; 26 } (a) (2 points) Consider the assignment at line 7. Is this assignment mem- ory safe? Explain your reasoning in one sentence.
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}